iptables drop or reject

smallm at panix.com smallm at panix.com
Thu Aug 14 10:43:44 EDT 2003 

On Wed, Aug 13, 2003 at 11:29:58PM -0400, Derek Martin wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Wed, Aug 13, 2003 at 02:58:54PM -0400, Dan Barrett wrote:
> > I have read that drop is a better bet in terms of defending against
> > an attack: packets sent to the box disappear down a black hole, and
> > the attacker may not be able to ascertain the state of the victim.
> 
...
> But, that attacker doesn't really care if you're there or not, either.
> They only care whether or not the service you have running on port 53
> is vulnerable.  So it doesn't really matter, from that perspective,
> whether you use DROP or REJECT.
> 
> > In terms of cutting down network traffic with respect to msblast,
> > drop sounds like the more appropriate of the two.
> 
> This is almost certainly false, unless the thing ignores TCP/IP
> errors.  If you use REJECT, the iptables sends the originator an ICMP
> port unreachable message, which tells the sender there's no point in
> continuing to attempt a connection.  If you use DROP, all the
> originator knows is that it hasn't received any sort of
> acknowledgement YET.  That doesn't mean it won't... so it will likely
> keep trying, until some sort of timeout is exceeded.  IOW, the packets
> keep coming.  If you're trying to reduce network traffic, this is
> almost certainly NOT what you want.

I think the situation here is that many hosts with the worm are hitting 
the box at the same time.  I have a limit on my log target so I only see
one every 3 minutes, but I'm guessing there are quite a few hitting each
second.  Maybe I should turn off that limit and see what's really happening.

I actually tried changing from REJECT to DROP after Dan's response and
saw a dramatic improvement throughout the evening and today.  Mind you,
RCN could have started to block 135 or maybe a lot of people have 
actually managed to install the patch and remove it from their systems.
For that matter, I don't really know if the worm had anything to do with
the slowness.  Guess I should change back and forth a few times and see
how it goes.

-- 
Mike Small
smallm at panix.com

More information about the Discuss mailing list